Allow for more cryptographic agility? Use of client_secret as key is tied directly to HS256, HS384 and HS512 algos.

Step 5 in http://openid.net/specs/openid-connect-messages-1_0.html#id.token.verification has "If the alg parameter of the JWT header is one of HS256, HS384, or HS512, the client_secret for the client_id contained in the aud (audience) Claim is used as the key to validate the signature."

Perhaps something like the following to replace the first part of that sentence would accomplish the same thing but more generally allow for the use of a SHA3 HMAC or whatever else might come along in the future, "If the alg parameter of the JWT header indicates the use of a MAC based algorithm, the client_secret..."

Comments (3)